Thursday, 15 September 2011

After more than a year, my first day in court

A little more than a year after I filed suit against the Customs and Border Protection (CBP) division of DHS to find out what records they are keeping about my international travels, and what they have done with those records, I had my first real day in court today in front of Federal Judge Richard Seeborg in San Francisco.

Judge Seeborg was appointed as a judge of the U.S. District Court by President Obama, after a decade as a Federal magistrate and seven years before that as a Federal prosecutor. On first impression, he seems fair-minded and thoughtful, although -- like most judges -- inclined to give more "deference" than is warranted to even implausible claims by police and prosecutors, such as some of those made in the declarations submitted by the CBP in opposition to my complaint.

I was represented by David Greene of Holme Roberts & Owen (formerly executive director and staff counsel of the First Amendment Project), who conducted today's argument on my behalf, along with FAP staff attorney Lowell Chow. Former FAP staff attorney Geoffrey King also worked on earlier stages of the case, as did several FAP law school student interns, who I was pleased were able to attend the argument. I'm grateful to them all for their contributions.

As we expected, and as is usual, no decision by the court was announced at today's hearing. In each of the other cases on Judge Seeborg's motion calendar today, he began by describing how he was "inclined" to rule on the matters before him. In my case, however, Judge Seeborg began -- after some comments about how ill-suited the typical summary judgment motion practice is to FOIA or Privacy Act cases like this, where the issues only gradually become clear in the course of the briefing -- by saying that after reading the lengthy pleadings he had only the most tentative "impression" as to how he might rule on any of the issues.

In other words, he still had an open mind, and oral argument might actually matter.

With that preface, Judge Seeborg invited my attorney David Greene to address whatever issues he thought were most important, and then gave AUSA Neill Tseng an opportunity to respond for the CBP.

If you're just tuning in, the best places to start are the Identity Project FAQ (for the political issues and significance of the case) and our last reply brief before today's argument (for the legal issues).

Broadly speaking, the argument focused on what I would group into four main questions:

(1) Does the CBP (or any Federal agency) have the authority to issue retroactive regulations exempting itself from complying with previously-made Privacy Act requests for access to records and for an accounting of disclosures of those records to other agencies or third parties?

I don't think Congress should have given Federal agencies the authority to exempt themselves from the access and accounting requirements of the Privacy Act. But I'm not challenging that general authority in this case (although I or someone else could do so in a future case). The issue now before Judge Seeborg is that the first of my requests was made before the CBP had even announced that they were considering the possibility of such an exemption, and all of my requests were made months or years before the exemption rules were issued.

David Greene argued on my behalf that my requests should have been processed, and information should have been disclosed to me, according to the rules in effect at the time the requests were made. Instead, the CBP has admitted that after identifying some of the records responsive to my requests, they sat on the records for 17 months until after they had finalized the regulations exempting themselves from having to release them to me.

AUSA Neill Tseng argued for the CBP that applying the exemption rules to requests that had been made months or years earlier has no "retroactive" effect, since (a) I hadn't actually filed my lawsuit yet (only unanswered administrative requests and unanswered administrative appeals) when the exemption rules were promulgated, and (b) there were no negative consequences to not being able to know what's in CBP files about me or with whom they have been shared. This ignores, of course, the fact that these records are being used by CBP and other foreign governments to make decisions with consequences such as whether or not to allow me to board airline flights, or how intrusively to search or interrogate me when I travel.

David Greene also pointed out that the precedents cited by CBP for retroactive application of rules related to rules contained in new laws enacted by Congress, not to new regulations issued by Federal agencies, and to amendments to FOIA rather than to the Privacy Act. In general, Federal agencies have no authority to issue retroactive regulations unless Congress has granted them express statutory authority to do so in a particular area, which they haven't done with respect to the Privacy Act.

There are some parallels between the Freedom of Information Act (FOIA) and the Privacy Act, and most lawyers and Federal judges are (as Judge Seeborg volunteered) more familiar with FOIA litigation and case law. Nevertheless, these are different laws which protect different rights. Moreover, the consequences of withdrawing Privacy Act rights are very different from those of withdrawing FOIA rights.

FOIA exists to protect the public right of access to impersonal public records about the activities of government. The Privacy Act protects the individual right of access to personally identifiable, non-public government records about oneself. Retroactive denial of that private, personal right -- on which I had relied, in the expectation of eventually being able to see what was in CBP's records about me, know to whom they had been disclosed, and have them expunged or corrected if they were irrelevant or inaccurate -- is a very different sort of damage than keeping impersonal public records secret even if they have already been requested.

Judge Seeborg gave absolutely no indication whatsoever of his thinking or likely ruling on this issue of retroactive application of Privacy Act exemption regulations. If he rules that the exemptions cannot be applied to my requests, there is likely to be both some further eventual disclosure of records to me, and further argument about the search for responsive records, which records should be released, and whether CBP has complied with its record-keeping obligations (particularly its obligation to maintain an "accounting of disclosures").

It's critical to realize, however, that this argument about retroactive application of the exemptions is relevant only to my requests (or to any other requests that were made before the exemption regulations were finalized).

Even if I am successful on this point and in the lawsuit as a whole, I (and perhaps a handful of others who made request before the new rules were issued) will be the only person who will ever be entitled to obtain any of my travel records from DHS under the Privacy Act, or to obtain any accounting of the other agencies, foreign governments, or private companies in the USA or abroad to which they have been disclosed.

Now that the exemption regulations are in effect, nobody -- even a U.S. citizen -- who makes a new request for their PNR data or other travel records from CBP or DHS has any right under the Privacy Act and the current regulations to receive any information at all from the government's files about them.

Debate in the European Union in particular needs to be based on a clear understanding that when the U.S. says that foreign citizens will be "administratively" granted the same rights U.S. citizens have under the Privacy Act (except the right to sue to enforce those rights), that means that foreigners will, like U.S. citizens, have no Privacy Act rights at all to find out what records CBP and DHS keep about their travels, or how these travel records are used.

It important to recognize that the whole issue of Privacy Act exemptions, much less of their retroactive application, would never have arisen if CBP had done what is has claimed to have done, and provided everyone who requested it with a copy of CBP's dossier about them.

Quite to the contrary, CBP admitted in court today, and in its written briefs in my case, that it identified specific records about me that would be responsive to my Privacy Act requests, but withheld them as exempt from disclosure.

Any further claims to the EU by CBP, DHS, or other U.S. representatives that everyone who has requested their travel records has received them must be rejected as knowingly false, deliberately intended to mislead the EU and the European public about U.S. compliance with its (non-binding) "agreements" with the EU, and directly contradicted by the sworn statements made to the court in this case by CBP officials and attorneys.

(2) What personal identifiers are used to retrieve PNR data and other CBP travel records?

The Privacy Act of 1974 defines a "system of records" as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."

The Privacy Act requires that each Federal government agency that maintains such a system of records shall, "publish in the Federal Register ... a notice of the existence and character of the system of records, which notice shall include -- ... the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records."

There's a good reason for this requirement. Without knowing which categories of data are used to retrieve records, it's impossible to know which information about oneself to include in a request for records about oneself. Compliance with the requirement for public disclosure of retrieval practices, at least as to the personal identifiers used to retrieve records, is an essential prerequisite to the ability to exercise a meaningful personal right of access to those records.

Unfortunately, most of the CBP "System of Records Notices", including those for the "Automated Targeting System" (ATS) and other systems of travel records, have said only that information is retrieved by "personal identifiers", without specifying what those identifiers are.

So part of my FOIA request to CBP was for any records of what personal identifiers are used to retrieve PNR, ATS, and other travel records.

Since that information is specifically required by the Privacy Act to be published in the Federal Register, it shouldn't be treated as exempt from disclosure if requested under FOIA.

At today's hearing, AUSA Tseng argued that -- notwithstanding the requirement of the Privacy Act for publication of this information in the Federal Register, which he didn't mention -- this information should be exempt from disclosure even when specifically requested under FOIA.

"Whether we can retrieve records based on credit card number," AUSA Tseng gave as an example, "is sensitive law enforcement information" exempt from disclosure under FOIA. Rather than arguing about the extent of what information about search and retrieval practices is required by the Privacy Act to be made public, CBP is now arguing that none of the specific identifiers need to be disclosed. "There are good reasons not to state every identifier by which records can be searched for or retrieved."

It has been considered to be settled law that information specifically required to be disclosed pursuant to some other law (which would seem to include the Privacy Act) cannot be withheld from disclosure in response to a FOIA request, even if it might otherwise be exempt from FOIA. But to date, no court has yet addressed the question of what is required to be included in the Privacy Act notice of "the policies and practices of the agency regarding ... retrievability ... of the records." So it's hard to say how Judge Seeborg will rule on this point.

(3) Are there any access logs or other records of the searches for, and/or retrieval of, CBP records about me?

As was noted in my reply brief, CBP and DHS have cliamed repeatedly -- including in their Privacy Impact Assessments and in reports to and "agreements" with the European Union -- that all access to PNR and ATS data is logged for audit purposes.

If they exist, those logs should include records of the searches CBP carried out to identify and retrieve records about me, in response to my Privacy Act and FOIA requests, as were described in declarations submitted by CBP staff in opposition to my lawsuit.

So I expected that, when I requested all records created in the course of processing my initial request, the response would include these search and access logs.

CBP admits that they didn't even search for these logs. During today's hearing, AUSA Tseng said that, "I'm not even sure that 'logs' is the correct term for these records", despite the repeated descriptions of them as "logs" in previous official DHS statements.

Apparently referring to a description provided by CBP (but not in their briefs), Tseng said that these "audit" records include each query that is made to the databases, the employee ID of the person making the query, and the date and time of the query.

But Tseng claimed that these audit records can only be searched by employee ID, date, and/or time, and not by anything that identifies the person about whom records were searched for or retrieved.

So it would be impossible, Tseng claimed, to find out from these logs who had searched for or retrieved which records about me, when, or using what query.

That seems unlikely, since it would render the "logs" useless for the purpose for which they are supposedly intended: Auditing whether personal information has been improperly viewed, used, or disclosed.

If an auditor wants to know, for example, whether any system user has improperly retrieved records about President Obama (as was done with his passport records), they wouldn't start with the name or ID of the person who had improperly looked at the President's file, or the date and time when they had done so. None of that would yet be known. They would start, obviously, by looking for all audit records for queries that including the search string "Obama", or some other unique identifier(s) of the President.

Perhaps realizing that his claims about the logs appeared dubious, Tseng said that CBP would be able, if Judge Seeborg so desires, to provide additional declarations clarifying the functions and capabilities of the audit log system. I hope that Judge Seeborg will take him up on that offer.

In the meantime, anyone reading or hearing CBP and DHS claims about the auditing of access to these records should be aware of CBP's claims in my case about how limited the logs are. In particular, CBP specifically claimed today that it is impossible to generate from these "logs" any list of who searched for or retrieved records about me, when, or using what queries. If what CBP says is true, they don't know, and have no way to find out, who has looked at my file. Any of tens of thousands of DHS employees with access to the system could have looked up their dossier about me, and there's no way for CBP auditors or for me to find out if that has happened.

(4) Did CBP conduct an adequate search for its records responsive to my requests?

The adequacy of an agency's search for records responsive to a Privacy Act of FOIA request is a judgment call that depends largely on the judge's degree of trust in the agency's competence and good faith. In general, Judge Seeborg's "impression" seemed to be that in most respects he was willing to accept what CBP claimed to have done as being "adequate", despite the long list in our reply brief and my supporting declaration of specific records that I have reason to believe exists, or that CBP has said exist, but that CBP didn't even look for in response to my requests.

It's not clear, with respect to some of these items, whether CBP didn't look for them because they thought they didn't or might not exist or because it would be too hard to find them if they did exist, looked for them in some unspecified or ineffective way but didn't find them, did find them or knew they existed but thought they weren't "responsive" to my requests, or knew they existed and were responsive but didn't produce them because they thought they were exempt.

There was some argument about why I believe some of this information exists, whether it would be responsive to my requests, and whether and how it would be reasonable to search for it.

On many of these points I fear that Judge Seeborg may be inclined to defer to CBP's judgment. The only category of these records that seemed to concern him were those that CBP essentially admits they know exist, such as specific e-mail messages within CBP about my request that were mentioned in CBP declarations but not listed on their "Vaughn index" of responsive records that they have withheld.

AUSA Tseng repeated the claim in one of the CBP declarations that CBP believed that this e-mail either wasn't responsive or was exempt. "But in that case, aren't you required to list it" on the Vaughn index and state the basis for your claim that it's exempt?, Judge Seeborg asked.

Tseng was quick to offer to file a supplemental Vaughn index listing at least some of these items, and I expect that Judge Seeborg will order CBP to do so.

Unless Judge Seeborg rules against me on all of these issues, and grants CBP's motions for summary judgment against me in their entirety, his initial ruling won't be the end of the case.

"Congress shall make no law ... abridging ... the right of the people peaceably to assemble." (U.S. Constitution)

"Everyone has the right to freedom of movement and residence within the borders of each state. Everyone has the right to leave any country, including his own, and to return to his country." (Universal Declaration of Human Rights)

"Liberty of movement is an indispensable condition for the free development of a person." (United Nations Human Rights Committee)